[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCHv2-resend] uml: sanity check external data before using it



Otherwise, a malicious packet could cause a DoS via spurious
out-of-memory failure.

* src/uml/uml_driver.c (umlMonitorCommand): Validate that incoming
data is reliable before using it to allocate/dereference memory.
Don't report bogus errno on short read.
Reported by Jim Meyering.
---

While trying to flush some of my pending patches, I noticed that
this one had never been given an ack.  Originally at:
https://www.redhat.com/archives/libvir-list/2010-March/msg00195.html


 src/uml/uml_driver.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index 3111211..1cbd0bd 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -734,15 +734,15 @@ static int umlMonitorCommand(const struct uml_driver *driver,
         if (nbytes < 0) {
             if (errno == EAGAIN || errno == EINTR)
                 continue;
-            virReportSystemError(errno,
-                                 _("cannot read reply %s"),
-                                 cmd);
+            virReportSystemError(errno, _("cannot read reply %s"), cmd);
             goto error;
         }
         if (nbytes < sizeof res) {
-            virReportSystemError(errno,
-                                 _("incomplete reply %s"),
-                                 cmd);
+            virReportSystemError(0, _("incomplete reply %s"), cmd);
+            goto error;
+        }
+        if (sizeof res.data < res.length) {
+            virReportSystemError(0, _("invalid length in reply %s"), cmd);
             goto error;
         }

-- 
1.7.0.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]